In the past year or so we have seen production of ASIC devices designed for mining of cryptocurrencies. These devices can perform SHA256 hashing at rates much higher than was seen in the past and are continually advancing in power. Can such devices be used to perform cryptanalysis instead of mining? Does this development pose a threat to our current security assumptions?

Most cryptography is far out of brute-force range, even with ASIC. Password hashing is one of the few exceptions. Among the commonly used password hashes, PBKDF2-HMAC-SHA-256 is closest to bitcoin mining. But I suspect mining ASICs are too specialized to attack it.
–
CodesInChaos♦Nov 22 '13 at 16:09

1

Even though the ASIC devices for mining could be converted into efficient cryptanalysis devices, the most calculations on cost of cryptanalysis already assume that the most energy efficient possible devices are used in attack. @JoelFan, you may like to read paper for scrypt (password-based key derivation algorithm). It investigates cost of attacking password-based key derivation, using ASIC. From this paper, it is clear that ASIC can be orders of magnitude better than standard PC or network of PCs, but if there is enough entropy, the prob is too big.
–
user4982Nov 22 '13 at 19:55

@CodesInChaos: It might not be self-evident that PBKDF2-HMAC-SHA-256 is close to bitcoin mining. Bitcoin mining benefits from parallelization, while PBKDF2 (with a high iteration count) is serial by design. How large a database of intermediate values would you need, in order to not have the device sit idle while it is waiting for the next round?
–
Henrick HellströmDec 5 '13 at 11:35

@HenrickHellström Password hashing with different password guesses is parallel as well. If you had fixed SHA-256 cores and flexible logic between the calls, that could be used for both hashing and mining. But I doubt miners contains those flexible parts required to repurpose them to crack PBKDF2.
–
CodesInChaos♦Dec 5 '13 at 11:48

1 Answer
1

Practicality: Using a bitcoin miner for cryptanalysis would at the very least require you to write very low-level custom code. Indeed, depending on the precise hardware/software split used by the miner, it might well require modifying the actual hardware to facilitate your cryptanalytic attack. Anyway, let's suppose someone could 'convert' one. What would this mean?
Well, if someone could convert a bitcoin ASIC into a viable cryptanalysis box, then you can bet the ASIC companies would just go ahead and produce them directly.

It is probably reasonable to assume that 'groups actively involved in cryptanalytic attacks already use some of the best hardware available, so in practice a converted miner would still probably leave you behind the curve. Anyway, supposing it did, your question would boil down to:

What would happen if the 'effectiveness'$^{[1]}$ of cryptanalytic equipment suddenly advanced by an order of magnitude?

Most good crypto is either believed to be well outside the bounds of brute force (eg see these answers about AES, RSA), even when we make very generous assumptions about an adversaries computational power. As such, even relatively significant improvement in cryptanalytic equipment (which is what your question suggests) will make a negligible difference in these problems.

Notes:

We assume 'effectiveness' has some appropriate meaning for the problem in hand, eg cost/size/speed etc

Actually, the crypto we use isn't scaled to 'suppose we used every atom in the universe as a computer'; at those levels, AES-256 (for example) is fairly quickly broken; instead, we attempt to scale our primitives to a more realistic work effort (that we still have good reason to believe is beyond any plausible attacker). This doesn't change your main point; that bitcoin mining hardware doesn't have anywhere close enough horsepower to make a dent against a modern crypto primitive.
–
ponchoNov 22 '13 at 16:46

Yes indeed, I'll correct that. I didn't mean to imply that all algorithms were that secure (which I definitely have with what I've written)!
–
figlesquidgeNov 22 '13 at 16:49

@poncho: According to the Internet it is a fact that Bruce Schneier can break AES-256 keys. However, if the adversaries are earth based, the assumption that adversary does not use computers larger than the planet is likely correct. I think user8911 wrote a good answer here.
–
user4982Nov 22 '13 at 19:50